CLI-248 Git hook callbacks for pre-commit and pre-push

Author: kirill-knize-sonarsource

src/cli/command-tree.ts

@@ -40,6 +40,8 @@ import { MAX_PAGE_SIZE } from '../sonarqube/projects';
 import { apiCommand, apiExtraHelpText, type ApiCommandOptions } from './commands/api/api';
 import { GENERIC_HTTP_METHODS } from '../sonarqube/client';
 import { claudePreToolUse } from './commands/hook/claude-pre-tool-use';
+import { gitPreCommit } from './commands/hook/git-pre-commit';
+import { gitPrePush } from './commands/hook/git-pre-push';
 
 const DEFAULT_PAGE_SIZE = MAX_PAGE_SIZE;
 
@@ -259,6 +261,16 @@ hookCommand
     return;
   });
 
+hookCommand
+  .command('git-pre-commit')
+  .description('git pre-commit handler: scan staged files for secrets')
+  .anonymousAction(() => gitPreCommit());
+
+hookCommand
+  .command('git-pre-push')
+  .description('git pre-push handler: scan files in new commits for secrets')
+  .anonymousAction(() => gitPrePush());
+
 // Hidden flush command — only registered when running as a telemetry worker.
 if (process.env[TELEMETRY_FLUSH_MODE_ENV]) {
   COMMAND_TREE.command('flush-telemetry', { hidden: true }).anonymousAction(flushTelemetry);

src/cli/commands/hook/git-pre-commit.ts

@@ -0,0 +1,67 @@
+/*
+ * SonarQube CLI
+ * Copyright (C) SonarSource Sàrl
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+
+// git pre-commit callback handler — scans staged files for secrets before commit.
+// Replaces the shell logic that was previously embedded in the git hook script.
+
+import { resolveAuth } from '../../../lib/auth-resolver';
+import logger from '../../../lib/logger';
+import { spawnProcess } from '../../../lib/process';
+import { resolveSecretsBinaryPath } from '../_common/install/secrets';
+import { EXIT_CODE_SECRETS_FOUND, runSecretsBinary } from '../analyze/secrets';
+import { CommandFailedError } from '../_common/error';
+
+export async function gitPreCommit(): Promise<void> {
+  const stagedFiles = await getStagedFiles();
+  if (stagedFiles.length === 0) return;
+
+  const auth = await resolveAuth().catch(() => null);
+  if (!auth) return; // not authenticated — skip gracefully
+
+  const binaryPath = resolveSecretsBinaryPath();
+  if (!binaryPath) return; // binary not installed — skip gracefully
+
+  try {
+    const result = await runSecretsBinary(binaryPath, stagedFiles, auth);
+    const exitCode = result.exitCode ?? 1;
+    if (exitCode === EXIT_CODE_SECRETS_FOUND) {
+      throw new CommandFailedError('Secrets detected in staged files');
+    }
+  } catch (err) {
+    if (err instanceof CommandFailedError) throw err;
+    logger.debug(`git pre-commit secrets scan failed: ${(err as Error).message}`);
+    throw new CommandFailedError('Secrets scan failed');
+  }
+}
+
+async function getStagedFiles(): Promise<string[]> {
+  try {
+    const result = await spawnProcess('git', [
+      'diff',
+      '--cached',
+      '--name-only',
+      '--diff-filter=ACMR',
+    ]);
+    if (result.exitCode !== 0) return [];
+    return result.stdout.trim().split('\n').filter(Boolean);
+  } catch {
+    return [];
+  }
+}

src/cli/commands/hook/git-pre-push.ts

@@ -0,0 +1,132 @@
+/*
+ * SonarQube CLI
+ * Copyright (C) SonarSource Sàrl
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+
+// git pre-push callback handler — scans files in new commits for secrets before push.
+// Replaces the shell logic that was previously embedded in the git hook script.
+
+import { resolveAuth } from '../../../lib/auth-resolver';
+import logger from '../../../lib/logger';
+import { spawnProcess } from '../../../lib/process';
+import { resolveSecretsBinaryPath } from '../_common/install/secrets';
+import { EXIT_CODE_SECRETS_FOUND, runSecretsBinary } from '../analyze/secrets';
+import { readGitPushRefs } from './stdin';
+import type { PushRef } from './stdin';
+import { CommandFailedError } from '../_common/error';
+
+const GIT_NULL_OID = '0000000000000000000000000000000000000000';
+
+export async function gitPrePush(): Promise<void> {
+  const refs = await readGitPushRefs();
+  if (refs.length === 0) return;
+
+  const auth = await resolveAuth().catch(() => null);
+  if (!auth) return; // not authenticated — skip gracefully
+
+  const binaryPath = resolveSecretsBinaryPath();
+  if (!binaryPath) return; // binary not installed — skip gracefully
+
+  const emptyTree = await getEmptyTree();
+
+  for (const ref of refs) {
+    if (ref.localSha === GIT_NULL_OID) continue; // branch deletion — nothing to scan
+
+    const files = await getFilesForRef(ref, emptyTree);
+    if (files.length === 0) continue;
+
+    try {
+      const result = await runSecretsBinary(binaryPath, files, auth);
+      const exitCode = result.exitCode ?? 1;
+      if (exitCode === EXIT_CODE_SECRETS_FOUND) {
+        throw new CommandFailedError('Secrets detected in pushed commits');
+      }
+    } catch (err) {
+      if (err instanceof CommandFailedError) throw err;
+      logger.debug(`git pre-push secrets scan failed: ${(err as Error).message}`);
+      throw new CommandFailedError('Secrets scan failed');
+    }
+  }
+}
+
+async function getEmptyTree(): Promise<string> {
+  try {
+    const result = await spawnProcess('git', ['mktree'], { stdin: 'pipe', stdinData: '' });
+    return result.stdout.trim() || GIT_NULL_OID;
+  } catch {
+    return GIT_NULL_OID;
+  }
+}
+
+async function getFilesForRef(ref: PushRef, emptyTree: string): Promise<string[]> {
+  try {
+    if (ref.remoteSha === GIT_NULL_OID) {
+      return await getFilesForNewBranch(ref.localSha, emptyTree);
+    }
+    const result = await spawnProcess('git', [
+      'diff',
+      '--name-only',
+      '--diff-filter=ACMR',
+      ref.remoteSha,
+      ref.localSha,
+    ]);
+    return result.stdout.trim().split('\n').filter(Boolean);
+  } catch {
+    return [];
+  }
+}
+
+async function getFilesForNewBranch(localSha: string, emptyTree: string): Promise<string[]> {
+  try {
+    const commitsResult = await spawnProcess('git', ['rev-list', localSha, '--not', '--remotes']);
+    const commits = commitsResult.stdout.trim().split('\n').filter(Boolean);
+
+    if (commits.length > 0) {
+      const fileSet = new Set<string>();
+      for (const commit of commits) {
+        const result = await spawnProcess('git', [
+          'diff-tree',
+          '--root',
+          '--no-commit-id',
+          '-r',
+          '--name-only',
+          '--diff-filter=ACMR',
+          commit,
+        ]);
+        result.stdout
+          .trim()
+          .split('\n')
+          .filter(Boolean)
+          .forEach((f) => fileSet.add(f));
+      }
+      return Array.from(fileSet);
+    }
+
+    // No other remotes — diff full branch against empty tree
+    const result = await spawnProcess('git', [
+      'diff',
+      '--name-only',
+      '--diff-filter=ACMR',
+      emptyTree,
+      localSha,
+    ]);
+    return result.stdout.trim().split('\n').filter(Boolean);
+  } catch {
+    return [];
+  }
+}

src/cli/commands/hook/stdin.ts

@@ -23,6 +23,36 @@
 
 const STDIN_TIMEOUT_MS = 5000;
 
+export interface PushRef {
+  localRef: string;
+  localSha: string;
+  remoteRef: string;
+  remoteSha: string;
+}
+
+/**
+ * Read git pre-push refs from stdin.
+ * Git passes refs as raw space-separated lines: <localRef> <localSha> <remoteRef> <remoteSha>
+ * Returns an empty array on timeout or error.
+ */
+export async function readGitPushRefs(): Promise<PushRef[]> {
+  let raw: string;
+  try {
+    raw = await readRawStdin();
+  } catch {
+    return []; // timeout or read error — allow the push
+  }
+  return raw
+    .trim()
+    .split('\n')
+    .filter(Boolean)
+    .map((line) => {
+      const [localRef, localSha, remoteRef, remoteSha] = line.split(' ');
+      return { localRef, localSha, remoteRef, remoteSha };
+    })
+    .filter((r) => r.localSha && r.remoteSha);
+}
+
 /**
  * Read stdin, parse as JSON, and return the result typed as T.
  * Throws if stdin is not valid JSON or if the read times out.

src/cli/commands/integrate/git/git-shell-fragments.ts

@@ -27,38 +27,10 @@ export const HOOK_MARKER = 'Sonar secrets scan - installed by sonar integrate gi
 
 export const SONAR_HOOK_SKIP_SECRETS_MESSAGE = 'sonarqube-cli not found, skipping secrets scan';
 
-/**
- * All-zero object id Git passes on pre-push stdin for ref deletion (`local_sha`) and new refs
- * (`remote_sha`). See githooks(5) "pre-push". SHA-1 length; SHA-256 repos use 64 hex zeros instead.
- */
-const GIT_HOOK_NULL_OID = '0000000000000000000000000000000000000000';
-
-// ─── Shared block ─────────────────────────────────────────────────────────────
-// Used inside `while read ... done` in both native and Husky pre-push scripts.
-// filesVar: shell variable name to assign results to.
-// Indented 4 spaces to sit inside `while` + `if [ remote_sha = null oid ]`.
-// `$EMPTY_TREE` is set once before the loop (see prePushBody).
-function newBranchPushBlock(filesVar: string): string {
-  return (
-    `    # New branch push — enumerate commits not yet on any remote, then diff-tree each one\n` +
-    `    COMMITS=$(git rev-list "$local_sha" --not --remotes 2>/dev/null)\n` +
-    `    if [ -n "$COMMITS" ]; then\n` +
-    `      ${filesVar}=$(echo "$COMMITS" | while IFS= read -r c; do\n` +
-    `        git diff-tree --no-commit-id -r --name-only --diff-filter=ACMR "$c" 2>/dev/null\n` +
-    `      done | sort -u)\n` +
-    `    else\n` +
-    `      # No other remotes to compare against — diff the full branch against an empty tree\n` +
-    `      ${filesVar}=$(git diff --name-only --diff-filter=ACMR $EMPTY_TREE "$local_sha" 2>/dev/null)\n` +
-    `    fi`
-  );
-}
-
 // ─── Binary resolution blocks ──────────────────────────────────────────────────
 // The only material difference between native and Husky variants.
 // Husky injects node_modules/.bin into PATH — strip it before looking up sonar.
 
-type BinBlock = () => string;
-
 function nativeBinBlock(): string {
   return (
     // `|| :` avoids exiting under `sh -e` when `command -v` fails (missing sonar).
@@ -75,54 +47,16 @@ function huskyBinBlock(): string {
   );
 }
 
-// ─── Shared script templates ───────────────────────────────────────────────────
-// Accept a binBlock function (native or Husky) to produce the correct resolver.
-
-function preCommitBody(filesVar: string, binBlock: BinBlock): string {
-  return (
-    `${filesVar}=$(git diff --cached --name-only --diff-filter=ACMR)\n` +
-    `[ -z "$${filesVar}" ] && exit 0\n` +
-    `${binBlock()}\n` +
-    `echo "$${filesVar}" | tr '\\n' '\\0' | xargs -0 "$SONAR_BIN" analyze secrets -- || exit 1\n`
-  );
-}
-
-function prePushBody(filesVar: string, binBlock: BinBlock): string {
-  return (
-    `${binBlock()}\n` +
-    `# Canonical empty tree: \`git mktree\` with no entries (correct for the repo's hash algorithm).\n` +
-    `EMPTY_TREE=$(printf '' | git mktree)\n` +
-    `# For each ref being pushed, scan files in the new commits\n` +
-    `while read -r local_ref local_sha remote_ref remote_sha; do\n` +
-    `  # Branch deletion — nothing to scan\n` +
-    `  [ "$local_sha" = '${GIT_HOOK_NULL_OID}' ] && continue\n` +
-    `  if [ "$remote_sha" = '${GIT_HOOK_NULL_OID}' ]; then\n` +
-    `${newBranchPushBlock(filesVar)}\n` +
-    `  else\n` +
-    `    ${filesVar}=$(git diff --name-only --diff-filter=ACMR "$remote_sha" "$local_sha")\n` +
-    `  fi\n` +
-    `  [ -z "$${filesVar}" ] && continue\n` +
-    `  echo "$${filesVar}" | tr '\\n' '\\0' | xargs -0 "$SONAR_BIN" analyze secrets -- || exit 1\n` +
-    `done\n` +
-    `exit 0\n`
-  );
-}
-
 // ─── Native .git/hooks/ scripts ───────────────────────────────────────────────
 // Standalone files written to .git/hooks/pre-commit or .git/hooks/pre-push.
 // Use plain PATH lookup — git does not inject node_modules/.bin.
 
 export function getPreCommitHookScript(): string {
-  return (
-    `#!/bin/sh\n` +
-    `# ${HOOK_MARKER}\n` +
-    `# Staged files (added/copy/modified, not deleted)\n` +
-    preCommitBody('FILES', nativeBinBlock)
-  );
+  return `#!/bin/sh\n# ${HOOK_MARKER}\n${nativeBinBlock()}\n"$SONAR_BIN" hook git-pre-commit\n`;
 }
 
 export function getPrePushHookScript(): string {
-  return `#!/bin/sh\n# ${HOOK_MARKER}\n` + prePushBody('FILES', nativeBinBlock);
+  return `#!/bin/sh\n# ${HOOK_MARKER}\n${nativeBinBlock()}\n"$SONAR_BIN" hook git-pre-push\n`;
 }
 
 export function getHookScript(hook: GitHookType): string {
@@ -135,11 +69,11 @@ export function getHookScript(hook: GitHookType): string {
 // looking up `sonar` to avoid accidentally running a project-local package.
 
 export function getHuskyPreCommitSnippet(): string {
-  return `\n# ${HOOK_MARKER}\n` + preCommitBody('FILES', huskyBinBlock);
+  return `\n# ${HOOK_MARKER}\n${huskyBinBlock()}\n"$SONAR_BIN" hook git-pre-commit\n`;
 }
 
 export function getHuskyPrePushSnippet(): string {
-  return `\n# ${HOOK_MARKER}\n` + prePushBody('FILES', huskyBinBlock);
+  return `\n# ${HOOK_MARKER}\n${huskyBinBlock()}\n"$SONAR_BIN" hook git-pre-push\n`;
 }
 
 export function getHuskySnippet(hook: GitHookType): string {

src/lib/process.ts

@@ -28,6 +28,7 @@ export interface SpawnOptions {
   cwd?: string;
   env?: Record<string, string>;
   stdin?: StdioMode;
+  stdinData?: string;
   stdout?: StdioMode;
   stderr?: StdioMode;
   detached?: boolean;
@@ -76,6 +77,11 @@ export async function spawnProcess(
       options.onSpawn(() => proc.kill());
     }
 
+    if (options.stdinData !== undefined && proc.stdin) {
+      proc.stdin.write(options.stdinData);
+      proc.stdin.end();
+    }
+
     proc.on('error', reject);
 
     proc.on('exit', (code) => {